Installing and Configuring the Cisco 6510 Software

This chapter explains how to install and configure the Cisco 6510 Service Selection Gateway (Cisco 6510) software. Before performing any procedures in this chapter, follow the instructions in the Cisco 6510 Service Selection Gateway Hardware Installation Guide until the Cisco 6510 displays the SSG > prompt.

Updating the Cisco 6510 Software

The Cisco 6510 ships in bootable form with its software in Flash memory. However, its software or ROM BIOS might need to be updated. To check whether it needs to be updated:

Step 1 From the SSG > prompt, enter version.

The Cisco 6510 displays text similar to the following:

Service Selection Gateway Version 1.1(1) Build XX

Restricted Rights Legend

Use, duplication, or disclosure by the Government is subject to

restrictions as set forth in subparagraph (c) of the Commercial

Computer Software - Restricted Rights clause as FAR sec. 32.227-19

and subparagraph (c) (i) (ii) of the Rights in Technical Data and

Computer Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, California 95134-1706

Step 2 Note the version and build number of the installed software.

Step 3 Use a web browser to access Cisco Connection Online (CCO):

http://www.cisco.com/pcgi-bin/tablebuild.pl/6510

Step 4 To access CCO, you must be a registered user. After entering your username and password, the next page displays a list of available files. If the Cisco 6510 software image file and/or the ROM BIOS file on CCO is newer than the installed version, download the software and update the Cisco 6510. For information on updating the Cisco 6510, refer to the next sections.

Updating the Cisco 6510 ROM BIOS

To update the Cisco 6510 ROM BIOS, complete the following steps:

Step 1 Rename the downloaded software image file to rombios.

Step 2 Copy this file to a 1.44 MB DOS-formatted 3.5-inch disk.

Step 3 Power on the Cisco 6510.

Step 4 Insert the disk in the Cisco 6510 disk drive.

Step 5 Enter the following command at the SSG > prompt:

burnimg -f /fd0/rombios -t bios

The Cisco 6510 begins updating its ROM BIOS.

Step 6 When it is finished, remove the disk and reboot the Cisco 6510 by entering:

reboot

Updating the Cisco 6510 software

To update the Cisco 6510 software, complete the following steps:

Step 1 Rename the downloaded software image file to csco6510.

Step 2 Copy this file to a 1.44 MB DOS-formatted 3.5-inch disk.

Step 3 Power on the Cisco 6510.

Step 4 Insert the disk in the Cisco 6510 disk drive.

Step 5 Enter the following command at the SSG > prompt:

burnimg -f /fd0/csco6510

The Cisco 6510 begins updating its software.

Step 6 When it is finished, remove the disk and reboot the Cisco 6510 by entering:

reboot

Naviga ting the Cisco 6510 User Interface

The Cisco 6510 uses a command-line interface (CLI) for configuring its parameters. All Cisco 6510 CLI commands are case-insensitive.

If you are using two Cisco 6510s for failover, the active Cisco 6510 replicates settings to the standby unit whenever a command is entered. To keep the settings synchronized, make sure to enter all configuration commands at the active unit.

For a complete listing of commands, refer to "Command Reference." For a complete listing of command parameters, refer to "Configuration Reference."

Pattern Matching

The config set command supports pattern matching and is convenient for setting multiple parameters. For example, if you entered config set fei, you would be prompted to configure the following parameters:

Carriage Return to Skip; '.' to quit; 'c' to clear -->
FEI0_InetAddr: <10.10.10.1>: 
FEI0_Mask: <255.255.0.0>: 
FEI0_InetGateway: <>: 
FEI0_InetName: <Hosts>: 
FEI1_InetAddr: <171.69.255.54>: 
FEI1_Mask: <255.255.255.240>: 
FEI1_InetGateway: <171.69.255.49>: 
FEI1_InetName: <UCPcard>: 
FEI2_InetAddr: <171.69.255.21>: 
FEI2_Mask: <255.255.255.248>: 
FEI2_InetGateway: <171.69.255.22>: 
FEI2_InetName: <ISPcard>:

Saving Configuration Settings

When you enter a command from the SSG > prompt, it immediately takes effect and, if applicable, is copied to the standby unit. However, the configuration is not saved to Flash memory. After making any changes, enter config save.

If you make a mistake while entering a command, simply enter the command again with the correct settings. If you make several mistakes or are not sure what you did, enter reboot. When prompted to save the configuration, select no.

Restoring Default Settings

To restore the Cisco 6510 to its default factory settings, enter config setdefault.

Help Information

Online help is available for the Cisco 6510 using the following methods:

To display a list of all available commands, enter help.
To display the syntax for a specific command, enter the command name followed by a question mark (?). For example, to display the syntax for the config command, enter config ?.

Configuring Basic Settings

The following sections describe the minimum parameters that must be configured to use the Cisco 6510.

Configuring the Interface Cards

To configure interface card settings, enter the following:

SSG > config set fei

The Cisco 6510 prompts you to configure all interface card settings. When you are finished configuring interface card settings, enter config save.

Table 2-1 describes each parameter.

Parameter	Description
FEI0_InetAddr	IP address of interface card 0, the interface card that connects to the host network.
FEI0_Mask	Subnet mask of interface card 0.
FEI0_InetGateway	IP address of the default gateway to which interface card 0 attaches.
FEI0_InetName	Description of interface card 0. This field does not affect operation.
FEI1_InetAddr	IP address of interface card 1, the interface card that connects to AAA¹ and DHCP² services.
FEI1_Mask	Subnet mask of interface card 1.
FEI1_InetGateway	IP address of the default gateway to which interface card 1 attaches.
FEI1_InetName	Description of interface card 1. This field does not affect operation.
FEI2_InetAddr	IP address of interface card 2, the interface card that connects to the SP³ network.
FEI2_Mask	Subnet mask of interface card 2.
FEI2_InetGateway	IP address of the default gateway to which interface card 2 attaches.
FEI2_InetName	Description of interface card 2. This field does not affect operation.

Table 2-1: Interface Card Parameters

Parameter Description

FEI0_InetAddr

IP address of interface card 0, the interface card that connects to the host network.

FEI0_Mask

Subnet mask of interface card 0.

FEI0_InetGateway

IP address of the default gateway to which interface card 0 attaches.

FEI0_InetName

Description of interface card 0. This field does not affect operation.

FEI1_InetAddr

IP address of interface card 1, the interface card that connects to AAA¹ and DHCP² services.

FEI1_Mask

Subnet mask of interface card 1.

FEI1_InetGateway

IP address of the default gateway to which interface card 1 attaches.

FEI1_InetName

Description of interface card 1. This field does not affect operation.

FEI2_InetAddr

IP address of interface card 2, the interface card that connects to the SP³ network.

FEI2_Mask

Subnet mask of interface card 2.

FEI2_InetGateway

IP address of the default gateway to which interface card 2 attaches.

FEI2_InetName

Description of interface card 2. This field does not affect operation.

¹AAA = authentication, authorization, and accounting.
²DHCP = Dynamic Host Configuration Protocol.
³SP = service provider.

Configuring Security

To configure security settings, enter the following:

SSG  > config set password

The Cisco 6510 prompts you to configure all security settings. When you are finished configuring security settings, enter config save.

Table 2-2 describes each parameter.

Parameter	Description
AAAPassword	RADIUS¹ shared secret between the Cisco 6510 and the authentication authorization, and accounting (AAA) server.
DashBoardPassword	RADIUS shared secret between the Cisco 6510 and the Cisco SSD².
ServicePassword	Password used to authenticate the Cisco 6510 with the CiscoSecure ACS service profiles. This value must match the value configured for the CiscoSecure ACS³ service profiles by the CiscoSecure ACS administrator

Table 2-2: Security Parameters

Parameter Description

AAAPassword

RADIUS¹ shared secret between the Cisco 6510 and the authentication authorization, and accounting (AAA) server.

DashBoardPassword

RADIUS shared secret between the Cisco 6510 and the Cisco SSD².

ServicePassword

Password used to authenticate the Cisco 6510 with the CiscoSecure ACS service profiles. This value must match the value configured for the CiscoSecure ACS³ service profiles by the CiscoSecure ACS administrator

¹RADIUS = Remote Access Dial-In User Service.
²SSD = Service Selection Dashboard.
³ACS = Access Control Server.

Configuring IP Addresses

To configure IP address settings, enter the following:

SSG  > config set ip

The Cisco 6510 prompts you to configure IP addresses. When you are finished, enter config save.

Table 2-3 describes each parameter.

Note When you enter this command, the Cisco 6510 also prompts you to configure failover IP addresses. Press the Enter key until you return to the SSG > prompt.

Parameter	Description
DefaultServerIP	Sets the first IP address that users will be able to access without authentication. This is the IP address where a Cisco SSD resides. After users enter the URL for the Cisco SSD, they will be prompted for a username and password.
DefaultServerIPMask	When used in conjunction with DefaultServerIP, this parameter specifies a range of IP address that users will be able to access without authentication.
DefaultServerIP2	Sets the second IP address that users will be able to access without authentication. This is the IP address where a Cisco SSD resides. After users enter the URL for the Cisco SSD, they will be prompted for a username and password.
DefaultServerIP2Mask	When used in conjunction with DefaultServerIP2, this parameter specifies a range of IP address that users will be able to access without authentication.
AAIP1	Specifies the IP address for the primary authentication server.
AAIP2	Specifies the IP address for the secondary authentication server. This parameter is used for load-balancing or fault tolerance and is optional.
AccountingIP1	Specifies the IP address for the primary accounting server.
AccountingIP2	Specifies the IP address for the secondary accounting server (optional).
DHCPIP	Specifies the IP address of the DHCP server.
SNMPIP	Specifies the IP address of the SNMP

Table 2-3: IP Address Parameters

Parameter Description

DefaultServerIP

Sets the first IP address that users will be able to access without authentication.

This is the IP address where a Cisco SSD resides. After users enter the URL for the Cisco SSD, they will be prompted for a username and password.

DefaultServerIPMask

When used in conjunction with DefaultServerIP, this parameter specifies a range of IP address that users will be able to access without authentication.

DefaultServerIP2

Sets the second IP address that users will be able to access without authentication.

This is the IP address where a Cisco SSD resides. After users enter the URL for the Cisco SSD, they will be prompted for a username and password.

DefaultServerIP2Mask

When used in conjunction with DefaultServerIP2, this parameter specifies a range of IP address that users will be able to access without authentication.

AAIP1

Specifies the IP address for the primary authentication server.

AAIP2

Specifies the IP address for the secondary authentication server. This parameter is used for load-balancing or fault tolerance and is optional.

AccountingIP1

Specifies the IP address for the primary accounting server.

AccountingIP2

Specifies the IP address for the secondary accounting server (optional).

DHCPIP

Specifies the IP address of the DHCP server.

SNMPIP

Specifies the IP address of the SNMP

Configuring Transparent Passthrough

Transparent passthrough is designed to allow unauthenticated traffic (users or network devices that have not logged in to the Cisco 6510 through the Cisco SSD) to pass through the Cisco 6510 (usually to the Internet). This makes the Cisco 6510 easy to integrate into a network without disrupting existing service.

To enable transparent passthrough, enter the following:

SSG  > config set tptenable 1

To disable transparent passthrough, enter the following:

SSG  > config set tptenable 0

Note For information on filtering transparent passthrough, see the "tptfilter download" section and the "Filter" section.

Configuring Debug and Log Settings

The Cisco 6510 can be configured to send logging information to the terminal console connected to the Cisco 6510 or a syslog server. You can specify up to 4levels of information for 9 different debug handlers.

To send logging information to the terminal console and syslog files, see the "logtarget" section.
To send logging information to a UNIX syslog facility, see the "logtarget facility" section.
To set debug levels, see the "debug" section.

Note Debugging should only be used for troubleshooting and is not intended for use in a production environment.

Configuring Failover Settings

To configure the Cisco 6510 for failover:

Step 1 Perform the hardware installation described in the Cisco 6510 Service Selection Gateway Hardware Installation Guide. Be sure to connect the failover cable.

Step 2 On the active unit, configure the settings described in this chapter.

Step 3 On the standby unit, configure the interface cards. See the "Configuring the Interface Cards" section.

Step 4 Go to the active unit.

Step 5 Enter the following command:

SSG > failover set

The Cisco 6510 prompts you to configure the IP addresses for all interface cards in both the active and standby Cisco 6510. These must match the IP addresses set in the "Configuring the Interface Cards" section.

Step 6 Enable the new settings by entering failover enable at both units.

Step 7 Save the configuration by entering config save.

Step 8 Activate failover by entering failover reset at both units or reboot by entering reboot from the active unit.

Step 9 To test the configuration, enter failover test. If failover is correctly configured, the Cisco 6510 will display text similar to the following:

---------------- Failover module Self Test --------------------

FAILOVER: (selfTest) tNetTask OK.

FAILOVER: (selfTest) Cable OK.

FAILOVER: (selfTest) Ethernet(3) OK.

FAILOVER: (selfTest) Ethernet(2) OK.

FAILOVER: (selfTest) Ethernet(1) OK.

Configuring Advanced Settings

This section describes Cisco 6510 advanced settings.

Configuring AA Fault Tolerance Settings

The Cisco 6510 can be configured to work with a single AA server, two AA servers in a load-balancing configuration, or two AA servers in a fault-tolerant configuration. Select from the following:

Single AA server, no load balancing, no fault tolerance---If only one AA server is configured (AAIP1 or AAIP2), all AA requests are sent to this server. Because there is no secondary server, neither load balancing nor fault tolerance is possible.
Dual AA servers, load balancing, no fault tolerance---If two AA servers are configured (AAIP1 and AAIP2) and the AAFTCheckInterval parameter is set to 0, the Cisco 6510 load balances (round-robin) the requests between these two IP addresses, resulting in better response times and increased load utilization. However, if one of the two servers fails, some authentication requests might fail.

: If you plan to use a second server for load balancing, take special precautions to verify that the databases used by both servers are synchronized. Otherwise, you might experience unexpected results.

Dual AA servers, no load balancing, fault tolerance---If two AA servers are configured (AAIP1 and AAIP2) and the AAFTCheckInterval parameter is set to a value other than 0, AA requests are sent to the first server until it stops responding.

: The Cisco 6510 checks the AA server using the interval specified in the AAFTCheckInterval parameter (default: 60 seconds). To determine whether the AA server failed, the Cisco 6510 uses the AAFTCheckThreshold parameter. By default, this parameter is set to 0.1. This means that if 1 reply is received for every 10 requests, the server is still considered operational. Any lower ratio will cause a server switch.

Configuring DNS Fault Tolerance Settings

The Cisco 6510 can be configured to work with a single Domain Name System (DNS) server, two DNS servers in a load balancing configuration, or two DNS servers in a fault tolerant configuration. Select from the following:

Single DNS server, no load balancing, no fault tolerance---If only one DNS server is configured, all DNS requests are sent to this server. Because there is no secondary server, neither load balancing nor fault tolerance is possible.
Dual DNS servers, load balancing, no fault tolerance---If two DNS servers are configured and the DNSFTCheckInterval parameter is set to 0, the Cisco 6510 load balances (round-robin) the requests between these two IP addresses. This results in better response times and increased load utilization. However, if one of the two servers fails, some requests might fail.
Dual DNS servers, no load balancing, fault tolerance---If two DNS servers are configured and the DNSFTCheckInterval parameter is set to a value other than 0, DNS requests are sent to the first server until it stops responding.

: The Cisco 6510 checks the DNS server using the interval specified in the DNSFTCheckInterval parameter (default: 60 seconds). To determine whether the DNS server failed, the Cisco 6510 uses the DNSFTCheckThreshold parameter. By default, this parameter is set to 0.1. This means that if 1 reply is received for every 10 requests, the server is considered operational.

Configuring Other Advanced Settings

Most of the Cisco 6510 advanced parameters are configured for optimal performance for most applications. For more information on modifying these settings, refer to "Configuration Reference."

Parameter	Description
AAAClientIF	Specifies the interface card from which the Cisco 6510 will listen for RADIUS requests from the Cisco SSD (default: interface card 0).
ACCOUNTINGRemotePort	Port number on which the RADIUS server connected to the Cisco 6510 listens for accounting packets. (default: 1646)
AcctRetryCount	Number of times the Cisco 6510 retries an accounting request packet before timing out the request. (default: 5)
AcctTimeout	Number of seconds the Cisco 6510 waits before timing out an accounting request packet. (default: 10)
ARPRetryCount	Number of times the Cisco 6510 retries an ARP¹ request packet before timing out the request. (default: 1)
ARPTimeout	Number of milliseconds the Cisco 6510 waits before timing out an ARP request packet. (default: 0)
DefaultServerIF	Specifies the interface card to which the default server (specified by DefaultServerIP) is attached (default: interface card 2).
DHCPRelayEnable	Configures the Cisco 6510 as a DHCP relay agent.
DHCPRemotePort	Remote port from which the Cisco 6510 receives DHCP packets. (default: 67)
DNSRemotePort	Remote port from which the Cisco 6510 receives DNS packets. (default: 53)
IGMPHelperEnable	Enables support for IGMP². This parameter must be enabled if there is a router between the Cisco 6510 and the host network.
L2FRemotePort	Port number from which the home gateway connected to the Cisco 6510 listens for L2F³ packets. (default: 1701)
MaxServicePerHost	Specifies the maximum number of concurrent services to which users can be connected.
MulticastEnable	Enables or disables multicast support for the Cisco 6510.
NATFTPConnTimeout	Number of milliseconds the Cisco 6510 waits before timing out an FTP connection request for NAT⁴. (default: 14400)
NATFTPFinConnTimeout	Interval, in seconds, that the Cisco 6510 waits before timing out the connection object for an FTP connection. (default: 1)
NATFTPCleanupInternal	Interval that the Cisco 6510 waits before cleaning up a connection object for an FTP NAT request. (default: 300)
NATFTPCTaskDelay	Interval, in seconds, that the Cisco 6510 delays processing a task that it carries out when processing an FTP⁵ connection. (default: 15)
RADIUSRemotePort	Port number from which the RADIUS server connected to the Cisco 6510 listens for RADIUS authentication packets. (default: 1645)
SNMPIP	IP address of the SNMP manager.
SNMPRemoteport	The port that the SNMP manger uses to listen for SNMP packets.
SNMPRetryCount	The number of messages the Cisco 6510 sends when it generates an SNMP trap⁶.

Table 2-4: Advanced Settings Parameters

Parameter Description

AAAClientIF

Specifies the interface card from which the Cisco 6510 will listen for RADIUS requests from the Cisco SSD (default: interface card 0).

ACCOUNTINGRemotePort

Port number on which the RADIUS server connected to the Cisco 6510 listens for accounting packets. (default: 1646)

AcctRetryCount

Number of times the Cisco 6510 retries an accounting request packet before timing out the request. (default: 5)

AcctTimeout

Number of seconds the Cisco 6510 waits before timing out an accounting request packet. (default: 10)

ARPRetryCount

Number of times the Cisco 6510 retries an ARP¹ request packet before timing out the request. (default: 1)

ARPTimeout

Number of milliseconds the Cisco 6510 waits before timing out an ARP request packet. (default: 0)

DefaultServerIF

Specifies the interface card to which the default server (specified by DefaultServerIP) is attached (default: interface card 2).

DHCPRelayEnable

Configures the Cisco 6510 as a DHCP relay agent.

DHCPRemotePort

Remote port from which the Cisco 6510 receives DHCP packets. (default: 67)

DNSRemotePort

Remote port from which the Cisco 6510 receives DNS packets. (default: 53)

IGMPHelperEnable

Enables support for IGMP². This parameter must be enabled if there is a router between the Cisco 6510 and the host network.

L2FRemotePort

Port number from which the home gateway connected to the Cisco 6510 listens for L2F³ packets. (default: 1701)

MaxServicePerHost

Specifies the maximum number of concurrent services to which users can be connected.

MulticastEnable

Enables or disables multicast support for the Cisco 6510.

NATFTPConnTimeout

Number of milliseconds the Cisco 6510 waits before timing out an FTP connection request for NAT⁴. (default: 14400)

NATFTPFinConnTimeout

Interval, in seconds, that the Cisco 6510 waits before timing out the connection object for an FTP connection. (default: 1)

NATFTPCleanupInternal

Interval that the Cisco 6510 waits before cleaning up a connection object for an FTP NAT request. (default: 300)

NATFTPCTaskDelay

Interval, in seconds, that the Cisco 6510 delays processing a task that it carries out when processing an FTP⁵ connection.
(default: 15)

RADIUSRemotePort

Port number from which the RADIUS server connected to the Cisco 6510 listens for RADIUS authentication packets.
(default: 1645)

SNMPIP

IP address of the SNMP manager.

SNMPRemoteport

The port that the SNMP manger uses to listen for SNMP packets.

SNMPRetryCount

The number of messages the Cisco 6510 sends when it generates an SNMP trap⁶.

¹ARP = Address Resolution Protocol.
²IGMP = Internet Group Management Protocol.
³L2F = Layer 2 Forwarding.
⁴NAT = network address translation.
⁵FTP = File Transfer Protocol.
⁶SNMP = Simple Network Management Protocol.

Table of Contents

Installing and Configuring the Cisco 6510 Software